NSA Details Chinese Cyber Theft of F-35, Military Secrets

China obtained more than 50 terabytes of data from U.S. defense and government networks, notably the Joint Strike Fighter’s stealth radar and engine secrets, through cyber espionage, according to newly disclosed National Security Agency documents.

A NSA briefing slide labeled "Top Secret" and headlined "Chinese Exfiltrate Sensitive Military Data," states that the Chinese have stolen a massive amount of data from U.S. government and private contractors.

The document was made public by the German magazine Der Spiegel in a two articles detailing how NSA in the mid-2000s was capable of conducting global cyber intelligence-gathering by tapping into the networks of foreign intelligence services and stealing the data they were collecting from others.

The unique capability of spying on the spies was described in a series of documents that were stolen in 2013 by former NSA contractor Edward Snowden, currently a fugitive in Russia.

For the F-35, according to NSA the Chinese were able to obtain digital design information on several different types of radar modules used by the fighter.

Northrop Grumman, the jet’s manufacturer, built the AN/APG-81 active, electronically scanned array radar for the F-35. The high-tech radar uses small, solid-state transmitter and receiver modules that allow the jet to avoid detection by enemy radar, a key stealth feature.

Another Northrop radar on the F-35 is the AN/AAS-37 electro-optical distributed aperture system the company says provides pilots with "unique protective sphere around the aircraft for missile warning, navigation support, and night operations," according to Northrop’s website.

On F-35 engine schematics, the Chinese stole data on the methods used by the turbine to cool gases, along with leading and trailing edge engine treatments and engine heat reduction data—also key elements of its stealth design.

By learning the secrets, the Chinese were able to include the design and technology in Beijing’s new stealth jet, the J-20. The secret also could allow Chinese air defenses to target the F-35 in a future conflict.

The NSA estimated in the briefing slide that the Chinese had conducted more than 30,000 cyber attacks as part of the massive defense industrial espionage, and that more than 500 attacks were "significant intrusions in DoD systems."

More than 1,600 network computers were penetrated and at least 600,000 user accounts were compromised, the undated slide stated, noting that the damage from the Chinese cyber spying was assessed to be more than $100 million, mainly in costs for rebuilding networks.

Other losses to Chinese cyber spies included the air refueling schedules of the U.S. Pacific Command, the military command that would be engaged in any future conflict with China.

The refueling schedules could reveal to the Chinese how Pacific Air Forces conduct operations in wartime and how they are supported in military operations over long distances of the Pacific.

China also stole data on the U.S. Transportation Command’s Single Mobility System. The network system is used by Transcom to plan missions for sending military troops and equipment by aircraft, ship, road, and rail in military operations.

Knowing details contained in the database could allow the Chinese to disrupt or sabotage Transcom’s critical support missions during a conflict or crisis.

The NSA also revealed that the Air Force’s networks were infiltrated by Chinese hackers, an attack that resulted in the loss of 33,000 records for general and field grade officers.

Navy losses to Chinese hackers included data on missile navigation and tracking system, nuclear submarine and anti-aircraft missile design and over 300,000 user identification and passwords.

The Chinese also obtained sensitive science and technology data controlled for export from U.S. networks, including International Traffic and Arms Restrictions (ITAR) secrets, and contractor research and development.

In all, the NSA concluded that the Chinese compromised key weapons systems including the F-35, the B-2 bomber, the F-22 fighter-bomber, the Space Based Laser, and other systems.

The amount of stolen data was "the equivalent of five Libraries of Congress (50 terabytes)," the NSA said. A terabyte is 1,000 gigabytes.

The slide appeared to be part of a briefing for the NSA’s "Sigint Development" division on how to prevent foreign spies from inserting malicious software into the weapons design process.

The slide indicated that the NSA planned to use Signals Intelligence-enabled countermeasures to counter enemy network intrusions.

A separate NSA document outlined a Chinese cyber spying operation code-named "Byzantine Hades" that included 12 coded subcategories. These included "Byzantine Candor," a subgroup concentrated on the Defense Department, commercial oil deals, and current geopolitical and economic events.

Other elements of the operation included cyber spying on Congress, weapons contractors, the National Aeronautics and Space Administration, and the Energy Department, which is in charge of building nuclear weapons and developing advanced technology.

The "Byzantine Foothold" subgroup was used to target Transcom and the Pacific Command as well as defense contractors.

In "Byzantine Candor" cyber attacks, the Chinese used Facebook as a command and control point for planting malware. One NSA slide showed that victims who unwittingly accessed a Facebook page through an email would end up with their computers under the remote control of the Chinese.

The report said that in late October 2009 the NSA was able to penetrate a Chinese hacking "virtual machine" that was linked to the 3rd Department of the People’s Liberation Army General Staff Department, the Chinese NSA known as "3PLA."

The Justice Department last May indicted five PLA hackers for their roles in a major cyber espionage operation against American companies and a labor union.

A third NSA document revealed that NSA and its Tailored Access Operations unit, which conduct cyber attacks, engages in "remote subversion." Those include foreign network penetrations, "on-net" access operations, and software implantation.

The Der Spiegel documents were partially redacted, an indication the news organization coordinated publication of the documents with authorities.

The Washington Free Beacondisclosed in March that Chinese cyber espionage against the F-35 was so successful that U.S. intelligence agencies believe that the stolen secrets were used to build China’s new J-20 stealth jet.

The cyber spying was carried out by a Chinese military unit called the Technical Reconnaissance Bureau, located in the Chengdu province.

Photo comparisons of the F-35 and J-20 revealed remarkable similarities between the two aircraft.

Bill GertzEmail Bill | Full Bio | RSSBill Gertz is senior editor of the Washington Free Beacon. Prior to joining the Beacon he was a national security reporter, editor, and columnist for 27 years at the Washington Times. Bill is the author of seven books, four of which were national bestsellers. His most recent book was iWar: War and Peace in the Information Age, a look at information warfare in its many forms and the enemies that are waging it. Bill has an international reputation. Vyachaslav Trubnikov, head of the Russian Foreign Intelligence Service, once called him a “tool of the CIA” after he wrote an article exposing Russian intelligence operations in the Balkans. A senior CIA official once threatened to have a cruise missile fired at his desk after he wrote a column critical of the CIA’s analysis of China. And China’s communist government has criticized him for news reports exposing China’s weapons and missile sales to rogue states. The state-run Xinhua news agency in 2006 identified Bill as the No. 1 “anti-China expert” in the world. Bill insists he is very much pro-China—pro-Chinese people and opposed to the communist system. Former Defense Secretary Donald H. Rumsfeld once told him: “You are drilling holes in the Pentagon and sucking out information.” His Twitter handle is @BillGertz.